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Abstract 

The ubiquitous presence of mobile communication devices and the continuous development of mo- 
bile data applications, which results in high level of mobile devices' activity and exchanged data, often 
transparent to the user, makes privacy preservation an important feature of mobile telephony systems. We 
present a formal analysis of the UMTS Authentication and Key Agreement protocol, using the applied 
pi-calculus and the ProVerif tool. We formally verify the model with respect to privacy properties. We 
show a linkability attack which makes it possible, for individuals with low-cost equipment, to trace UMTS 
subscribers. The attack exploits information leaked by poorly designed error messages. 

1 Introduction 

While most mobile phone users accept that the network operator can track their physical movements, 
few would be happy if an arbitrary third party could do so. Such a possibility would enable all kinds 
of undesirable behaviour, ranging from criminal stalking and harassment to more mundane monitoring 
of spouse or employee movements. For this reason, UMTS mobile phone protocols have been designed 
to prevent third parties from identifying wireless messages as coming from a particular mobile phone. 
The protocols include cryptography and the use of temporary identifiers (such as the Temporary Mobile 
Subscriber Identity (TMSI)) in an effort to achieve the aim of untrackability by third parties. 

Unfortunately, it is known that "IMSI catchers" can be used to force a mobile phone to reveal its per- 
manent International Mobile Subscriber Identity (IMSI) [1 , 2|. The possibility of such a breach of IMSI 
confidentiality is acknowledged in the UMTS protocol specifications ||3]. Until fairly recently, implement- 
ing an IMSI catcher required the specialised equipment found only in network base stations. However, the 
cost of such devices is becoming more and more affordable thanks to software emulation. 

In this paper, we identify a further problem with the key establishment protocols used in modern net- 
works. We show that if an adversary can capture a message to a phone that authenticates the phone by 
its TMSI, then the adversary can from then on distinguish its interactions with that phone from any other. 
To achieve this, the adversary replays the captured message. Our attack exploits the fact that the victim's 
phone will reply with subtly different error messages, depending on whether the replayed request is asso- 
ciated with it or with a different phone. In contrast with the IMSI catcher, our attack is not known to the 
protocol designers. 

It is straightforward to modify the protocol to avoid the IMSI catcher attack, by using public key encryp- 
tion. Avoiding the error message attack is more subtle, because the attack itself is more subtle. We propose 
a modification of the protocol. We model the key establishment protocol in ProVerif, and we demonstrate 
that ProVerif can find the attack based on the differing error messages. Then, we propose a simple fix, 
which prevents the attacker from distinguishing between the reply to a replayed message for the victim's 
phone from the reply to a replayed message from some other phone. We demonstrate that ProVerif does 
not find the attack in the revised version, and actually can prove that there are no distinguishing attacks. 

Unfortunately, our model is an approximation of the underlying protocol, in a precise way. The under- 
lying protocol uses exclusive-or as a means to perform a symmetric-key encryption. We do not model this 
encryption; indeed, we allow an adversary to see both the key and the plaintext. ProVerif's exhibition 
of the attack and its absence in the fixed protocol are both relative to this approximation. The approxima- 
tion is plainly incorrect for secrecy properties; however, the privacy property at hand is expressed as the 
attacker's inability to distinguish two situations, and intuitively, the approximation is a correct abstraction 
for that property. In the approximate model, the attacker has strictly more information with which to make 
the distinction. Formally proving that the approximation is an abstraction is left as further work. 
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1.1 Related Work 



Known Attacks on UMTS 

Previous work analysing UMTS security exploits the vulnerabilities which are propagated from GSM 
to UMTS when providing inter-operability between the two systems. Most of the reported attacks take 
advantage of well-known weaknesses of the GSM authentication and key agreement protocol, such as lack 
of mutual authentication and use of weak encryption. These attacks allow an active attacker to violate 
the user identity confidentiality, to eavesdrop outbound communications and to masquerade as a legitimate 
subscriber obtaining services which will be billed on the victim's account. For example, Meyer and Wetzel 
im present an attack which allows the attacker to impersonate a base station and eavesdrop a victim's mo- 
bile station communications. An even more disrupting attack allowing impersonation of a victim's mobile 
station and service theft is explained by Ahmadian et al. in fS]. 

To the best of our knowledge, the only attack that does not rely on GSM/UMTS interoperability has 
been presented by Zhang and Fang in |6|. The attack is a variant of the false base station attack and takes 
advantage of the fact that the mobile station does not authenticate the serving network. It allows the 
redirection of the victim's outgoing traffic to a different network, let's say a network which uses a weaker 
encryption algorithm or one which charges higher rates than the victim's one. 

AKA Protocol Security: Formal Proofs and New Proposals 

The UMTS authentication and key agreement protocol in its pure form (i.e. with no GSM support) has 
been formally proved to meet some of the specified security requirements fl], such as authentication and 
confidentiality. However, the framework used for the formal analysis does not capture Zhang and Fang's 
attack. Moreover, unlinkability and anonymity properties, which are the focus of our work, have not been 
analysed. 

A new framework for authentication has been proposed to take into account subscribers' privacy with 
respect to both the serving and the home network [8 1. Other recently published papers also propose new au- 
thentication protocols to enhance UMTS security and privacy fE^^. However, the adoption of the enhanced 
authentication protocols would require considerable changes to the current security architecture. Unlike our 
work, these works, do not rely on a formal study of the AKA protocol or present a formal verification of the 
proposed protocols. 

2 Introduction to UMTS 

Universal Mobile Telecommunications System (UMTS) is a mobile telephony standard specified and 
maintained by the Third Generation Partnership Project (3GPP). UMTS was introduced in 1999 to offer a 
better support for mobile data applications increasing the data rate and lowering the costs of mobile data 
communications. Furthermore, UMTS offers an improved security architecture with respect to previous 
mobile communication systems such as GSM (Global System for Mobile Communication). In the following 
sections, we will introduce the UMTS network architecture and we will describe in more detail its security 
features and the Authentication and Key Agreement (AKA) protocol, which is the main building block of 
UMTS security. We will then present a linkability attack which enables tracing UMTS subscribers thanks 
to the exploitation of the AKA protocol error messages. 

2.1 UMTS Architecture 

The network architecture of the UMTS system, depicted in figure[T] is built on the pre-existing voice and 
data mobile networks, by namely GSM and GPRS (General Packet Radio Service) networks, respectively. 
The user side of the network consists of Mobile Stations (MS). Each mobile station comprises a Mobile 
Equipment (ME) such as a mobile phone, together with a Universal Subscriber Identity Module (USIM), 
which identifies the user as a legitimate subscriber within a mobile telephony operator network. To access 
the services offered by a mobile operator, a MS connects through radio communication technology to the 
UTRAN (UMTS Terrestrial Radio Access Network) or GERAN (GSM/EDGE Radio Access Network). 
The latter one is a GSM/GPRS access network. 

A mobile station directly communicates with a Base Transceiver Station or Node B which covers the 
area the MS is located in. One or more Node B are connected with a Radio Network Controller (RNC), 
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defining a cell. A group of cells forms a Location Area. RNCs manage the radio resources and inter- 
cell handover and are the interface between the mobile station and the core network. The core network 
offers circuit-switch and packet-switch services. The Mobile Switching Centre (MSC) and Gateway Mobile 
Switching Centre (GMSC) offer, respectively, inter and intra-network circuit-switching domain services 
and interface the UMTS with the traditional fixed telephony network. The Serving GPRS Support Node 
(SGSN) and the Gateway Serving GPRS Support Node (GGSN) offer, respectively, inter and intra-network 
packet-switching domain services as well as connecting the UMTS network with the internet. 

Within the core network, the Home Location Register (HLR) stores permanent sensitive information of 
UMTS subscribers such as identity, service profile, and activity status. These informations are linked to the 
USIM and recorded when stipulating a contract with the mobile operator. UMTS offers roaming capabilities 
between different network operators, meaning that a mobile station can be connected to a visited network, 
called the Serving Network (SN), which might be different from the subscriber's Home Network (HN). 

Each subscriber has a long term identifier IMSI (International Mobile Subscriber Identity) that is stored 
in the USIM, and a temporary identifier TMSI (Temporary Mobile Subscriber Identity), allocated by the 
serving network. The purpose of the TMSI is to protect the subscriber identity privacy. To limit the use of 
the IMSI a subscriber identifies himself using the TMSI whenever it is possible. To avoid user traceability, 
the TMSI is periodically changed through the TMSI reallocation procedure. 

The Visitor Location Register (VLR) stores temporary information about subscribers visiting a given 
location area of the serving network and maintains TMSI/IMSI associations. The network operator and the 
subscriber share a long term secret key used for authentication purposes. This key is stored in the USIM. 
The Authentication Centre (AuC) is a protected database storing association between subscriber identities 
(IMSI) and long-term keys. 

2.2 UMTS Security 

We wiU consider a simplified network architecture so to be able to abstract from the network complex- 
ity and concentrate on the communication protocols taking place between a Mobile Station (MS) and the 
Serving Network (SN). 

When referring to a Serving Network we mean both the UTRAN/GERAN Base Station that the MS 
is directly communicating with, and the complex structure of databases and servers connected with it and 
forming the UMTS core network. 

When a mobile station connects to a network, a temporary identity, TMSI (Temporary Mobile Sub- 
scriber Identity) is assigned to it and is used, instead of the IMSI, to identify the MS. To avoid mobile 
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Figure 2: TMSI Reallocation procedure 



station traceability by third parties, the UMTS standard requires periodic updates of the temporary identity 
to be performed. 

UMTS communication system aims to provide authentication, confidentiality, and user identity confi- 
dentiality |]3]- In particular, the UMTS standard defines the following two properties concerning the sub- 
scribers privacy: 

• User identity confidentiality: the property that the permanent user identity (IMSI) of a user to whom 
a services is delivered cannot be eavesdropped on the radio access link; 

• User untraceability: the property that an intruder cannot deduce whether different services are deliv- 
ered to the same user by eavesdropping on the radio access link. 

To achieve the above mentioned security properties, UMTS relies mainly on the Authentication and Key 
Agreement (AKA) protocol, on ciphering and integrity checking of the confidential data transmitted on the 
radio channel, and on the use of temporary identities. The AKA protocol allows MS and SN to establish 
a pair of shared session keys: a ciphering key and an integrity key, to be used to ensure the secrecy and 
integrity of the subsequent communications. 

As previously mentioned, mobile stations are identified using temporary identities. New temporary 
identities are assigned by the network using the TMSI reallocation procedure, which consists of a message 
containing the new TMSI, followed by an acknowledgement message. To avoid the linkability of consecu- 
tively used temporary identities, the new TMSI is encrypted using the session key CK established during the 
execution of the AKA protocol. The standard requires a new TMSI to be allocated at least at each change 
of location area ||9l. The TMSI reallocation is usually performed in conjunction with other procedures as 
for example location updating. This scenario is depicted in figure |2] 

2.3 The UMTS Authentication and Key Agreement Protocol 

The Authentication and Key Agreement (AKA) protocol aims to achieve the mutual authentication of 
MS and SN, and to establish shared session keys to be used to secure the subsequent communications. The 
session keys are not exchanged during the protocol but computed locally by the MS and the SN. According 
to [31, the authentication procedure is always initiated by the SN for the purpose of: 

• Checking whether the identity provided by the MS is acceptable or not. 

• Providing parameters enabling the MS to calculate a new UMTS ciphering key. 

• Providing parameters enabling the MS to calculate a new UMTS integrity key. 

• Allowing the MS to authenticate the network. 
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Figure 3: Authentication and Key Agreement protocol 



The MS and the Home Network (HN) share a secret cryptographic key K, assigned to the subscriber by the 
network operator and loaded on the USIM card. The secret key allows MS and HN to compute, off-line, 
shared ciphering and integrity keys to be used for encryption and integrity check of the communication. 

The AKA protocol consists in the exchange of two messages: the authentication request and the authen- 
tication response. In figure |3] a successful execution of the AKA protocol is shown. The SN initiates the 
authentication and key agreement procedure as follows: 

• Before sending an authentication request to the MS, the serving network requests authentication data 
from the mobile station's home network (HN). The home network returns an authentication vector 
containing a random challenge RAND, the authentication token AUTN computed from it, the ex- 
pected authentication response flKiRAND), the integrity key IK and the encryption key CK. The 
functions, /l,/2,/3,/4, and /5, used to compute the authentication parameters are cryptographic 
functions computed using the shared key K and are defined in the UMTS standard. The authentica- 
tion function /I is used to calculate the MAC (Message Authentication Code), /2 is used to produce 
the authentication response parameter RES ; the key generating functions, f3,f4, and /5 are used to 
generate the ciphering, CK, the integrity, IK, and the anonymity key, AK, respectively. 

• The SN sends the authentication challenge RAND and the authentication token AUTN to the MS. 
The authentication token contains a MAC which is computed applying the function fl to the con- 
catenation of the random number with a sequence number, S QNhn, generated by the HN/AuC using 
an individual counter for each user A new sequence number is generated either by increment of the 
counter or through time based algorithms as defined in [3 1. The sequence number S QNhn identifies 
the authentication vector and allows the MS to verify the freshness of the authentication request (see 
figure [3]). 

• When the MS receives the [RAND, AUTN) message it first retrieves the sequence number (S QNhn), 
verifies the MAC [MAC - XMAC). This step ensure the MAC was generated by the network using 
the shared key K. The mobile station stores the greatest sequence number used for authentication, 
S QNms ■ This value is used to check the freshness of the authentication request (S QNms < S QNhn)- 
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Figure 4: AKA Failure Messages 

• The MS computes the ciphering key, the integrity key and the authentication response RES message 
and sends RES to the network. 

• The SN authenticates the MS verifying whether the received response is equal to the expected one 
(RES = flKiRAND)). 

After successful authentication, the SN sends a security mode command message to the MS, indicating 
which one of the allowed algorithms to use for ciphering and integrity checking of the subsequent commu- 
nications. 

The authentication procedure can fail on the MS side either because the MAC verification failed, or 
because the received sequence number is not in the correct range with respect to the sequence number stored 
in the MS (SQNms)- In the former case, the MS sends an authentication failure message indicating Mac 
Failure as the failure cause. In the latter case, the MS sends an authentication failure message containing 
the AUTS parameter and indicating Synchronization Failure as the failure cause. The AUTS parameter 
contains the sequence number S QNms ^ to allow the SN to perform a re-synchronization and a MAC for 
authenticity and integrity purposes. 

The authentication procedure can fail on the SN side because the RES verification failed, in this case 
the SN sends an authentication reject message. 

For simplicity, we are not considering here failure situations in which the network initiates other pro- 
cedures to recover from an authentication failure. Figure [4] depicts the error messages possibly occurring 
during the authentication procedure. 



3 Linkability Attack 

Despite the use of temporary identities to avoid the linkability of UMTS subscribers, the execution of 
the AKA protocol enables an active attacker to trace UMTS subscribers. An active attacker could intercept 
an authentication request message containing the pair {RAND,AUTN) sent by the SN to a victim mobile 
station MS y. The captured authentication request can be replayed by the adversary to check the presence 
of MSy. In fact, thanks to the error messages, the adversary can distinguish any mobile station from the 
one the authentication request was originally sent to. On reception of the replayed {RAND,AUTN), the 
victim mobile station, MS v, successfully verifies the MAC and sends a synchronization failure message. 
While, the MAC verification fails when executed by any other mobile station and as a result a MAC failure 
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Figure 5: Linkability attack 



message is sent. The implementation of few false base stations would then allow an attacker to trace the 
movements of a victim mobile station, resulting in a breach of the subscriber untraceability. The proposed 
attack is shown in figure |5] 

Intuitively, the UMTS AKA protocol linkability problem can easily be solved by simply sending the 
same error message for any kind of failure occurring. In the following sections, we introduce the theoretical 
framework we used to automatically verify the unlinkability and anonymity of this simple fix. In addition, 
we illustrate the UMTS AKA protocol model and discuss the verification results. 



4 Formal Analysis of Privacy-related Properties 

In the following sections we present the ProVerif process language. We introduce the model of UMTS 
AKA protocol and the formalization of the privacy properties under analysis. Further, we discuss the result 
of the verification with the ProVerif tool of both the original protocol and the fixed version. 

4.1 ProVerif Process Language 

The ProVerif process language is similar to the applied pi-calculus, which is a formal language, in- 
troduced by Abadi and Fournet ||10 |, for modelling concurrent processes and ease the modelling of cryp- 
tographic protocols. The ProVerif process language makes it possible to automatically verify protocol 
models written in the language, using the ProVerif tool 1 1 1 1. 

Cryptographic primitives are modelled as functions and messages are represented by terms of the 
ProVerif process language built over an infinite set of names, an infinite set of variables and the set of 
considered cryptographic primitives. A function symbol with arity is a constant symbol. Functions are 
distinguished in two categories: constructors and destructors. We write / for constructors and g for destruc- 
tors. Terms are variables, names and application of constructors and are defined by the following grammar: 

L,M,N,T ::= Terms 
a,b,c, . . . Name 
x,y,z,--. Variable 
/(Ml , . . . , Ml) Function application 
where / G 2 and / matches the arity of / 

Destructors are defined by a set of reduction rules of the form g{M[, . . . , Mi) — > M which can be applied by 
processes to manipulate terms. 

Example 1. Using functions and reduction rules we can define cryptographic functions, for example, let 
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2 = {senc/2,pub/l, aenc/3, xor/2, (9/0, ), and consider the reductions 

sdecik, sencik, m)) -> m 



adec{k, aenc{pub{k), m, r)) -> m 

xor(xor(x, y),z) -> xor(x, (xor(y, z)) 

xor(x, y) — > xor(y, x) 

xor(x, Q) — > X 

xor(x, x) —^8 

In this example, senc and aenc model, respectively, symmetric and non deterministic asymmetric encryp- 
tion. The first reduction rule allows to decrypt an encrypted message, m, given the knowledge of the en- 
cryption key k, hence it defines symmetric encryption. While, the second rules allows to decrypt a message, 
m, encrypted using a public key, pub(k), and a random value, r, given the knowledge of the corresponding 
private key k. Therefore, it defines non deterministic public key encryption. 

The function xor is described by a set of reductions modelling its algebraic properties and a constant 8 
representing the value 0. 

The grammar for processes of the ProVerif process language is the following: 

P,Q,R::= plain processes 

null process 

P I Q parallel composition 

\P replication 
new n; P name restriction 

if M = N then P else Q conditional 
let X = giMi, M„) in P destructor appUcation 

else Q 

in(M, x) ; P message input 

out(M, A^); P message output 

The null process does nothing. The parallel composition of P and Q represents the parallel execution of P 
and Q. The replication of a process P acts like the parallel execution of unboundedly many copies of P. 
The name restriction vn.P creates a new name n whose scope is restricted to the process P and then runs 
P. Note that we check for equality modulo the equational theory rather than syntactic equality of terms. 
The message input in(M, x); P represents a process ready to input from the channel M, the actual message 
received will be substituted to x in P, the syntactic substitution of a term T for the variable x in the process 
P is denoted by P{^ /x}- The message output out(M, A^); P describes a process ready to send a term A' on the 
channel M and then to run P. The let construct defines a process that evaluates giMi, . .., M„) and behaves 
as P, where x is substituted with the evaluation of giMi, M„) in P, if the evaluation of giMi, .. ., M„) 
is successful, and behaves as Q otherwise. The conditional checks the equality of two terms M and A'^ and 
then behaves as P or Q accordingly. 

The conditional is actually defined in terms of let. A destructor equals is defined, with the reduction 
equals(x, x) — > x. The if construct stands for let x = equals(M, A^) in P else Q. We also use some 
syntactic sugar to allow the let construct to introduce abbreviations such as let x = M in P. Moreover, 
we assume impUcit definitions of constructors and destructors of tuples. In particular, we allow impUcit ap- 
plication of tuple destructors using pattern matching, as for example let (xi, ...,x„) = M in P else Q, 
that if M is an n-tuple, executes P where xi, . . . , x„ are substituted with fstiM), sndiM), ...,n- thiM), and 
executes Q otherwise. 

The definition of a process in the ProVerif language consists of a set of declarations which allow to 
define: 

free a. free names; 

fun f/arity. functions and their arity; 

reduc f (x , y , . . ) =f (w , z , . . ) ■ the fimctions' reduction rules; 
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let A = P . a subprocess A, where P is defined by the grammar given above; 
Process P the main process, where P is defined by the grammar given above. 

Example 2. We can model a system S where mobile stations, MS, with identity, imsi, run along with a 
serving network, SN, with which they share a private key k as the process: 

let S = !new k; new imsi; !new sqn;CSN | MS) 

The serving network process SN executing the AKA protocol can be modelled by the following ProVerif 

process: 

1 let SN = 

2 new rand; 

3 let mac = fl(k, (rand, sqn)) in 

4 let ak = f5(k, rand) in 

5 let autn = (xorCsqn, ak) , mac) in 

6 out(c, (rand, autn)); 

7 in(c, xres) . 

The SN creates a fresh random number and calculates the parameters needed during the authentication 
process. It sends the random and the authentication token on a public channel c. Finally, the SN waits for 
the authentication response. 

A mobile station can be represented by the following process: 



1 let 


MS = 


2 


in(c, x); 


3 


let (xrand, xautn) = x in 


4 


let (y, xmac) = xautn in 


5 


let ak = £5(k, xrand) in 


6 


let xsqn = xor(y, ak) in 


7 


let mac = fl(k, (xrand, xsqn)) in 


8 


if xmac - mac then 


9 


if xsqn = sqn then 


IS 


let res = f2(k, xrand) : 


11 


out(c, res) 


12 


else 


13 


out(c, synchFail) 


14 


else 


15 


out(c, macFail) . 



The MS waits for an authentication request, from which it retrieves the mac and the sequence number 
( respectively xmac and xsqn), checks if they are equal to the locally computed ones (mac, sqn) and sends 
either the authentication response res or a failure message, indicating the failure cause. 



4.2 Formal Semantics 

The evaluation of terms (JJ.) of the ProVerif process language is defined by the following rules: 

M Jl M 
g(Di,...,D,) H. crN 

ifgiNu...,N„)^N 6 Sand 

(T is such that Vi, D,- U M, and M, = aNi 

The structural equivalence relation (=) defines when syntactically different processes represent the same 
process, allowing to rule out uninteresting syntactic differences between processes: 

P = P\0 
P\Q = Q\P 
P\{Q\R) = iP\Q)\R 

new a; new b;P = new b; new a; P 

P\newa;Q = new a; (P \ Q) if a ^ fn(P) 
P = P 
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P=Q P=Q,Q = R P = Q 

Q = P P = R new a;P = new a; Q 

The reduction relation (— >) describes how processes evolve. According to the first reduction rule, input 
and output actions on a channel can synchronize, resulting in the message M to be communicated, i.e. 
substituted for x in Q. The let construct tries to evaluate the term D, if the evaluation is successful, i.e. 
D JJ, M then M is substituted for x in P otherwise the process Q is executed. The replication of P can evolve 
to the parallel execution of an unfolded copy of P running in parallel with its repUcation. Moreover, we 
have that if a process P can evolve to Q, when in isolation, then it can perform the same step when running 
in parallel with another process R. The reduction relation is closed by name restriction and structural 
equivalence. 

out(Ar, M);P I in(Ar,jc);e ^ P I Gi*"/.} 
let jc = D in P else Q P{^/,,} 

ifD Jl M 

let jc = D in P else 2 Q 

if there is no M such that D ||, M 
IP P|!P 

P^Q P^Q 
P\R^ Q\R new a;P^ new a; Q 

P' = P,P ^ Q,Q = Q' 
P' ^Q' 

We write — >* for the reflexive and transitive closure of — >. 
4.3 Observational Equivalence 

A context is a process with a hole, C[_]. An evaluation context is a context whose hole is not under 
a replication, a conditional, an input or an output. An evaluation context represents an attacker, i.e. any 
process which may follow or not the protocol rules and interact with our "well behaving" processes. We 
say that a context closes A when C\P^ is closed, where C[P] is the process obtained by filling Cs hole with 
P. We write P J,m if ^' can send a message on the channel M, that is, if P — >* C\put{M,N);P'\ for some 
term A'^ and some evaluation context C[_] that does not bind the free names in M 

Defuiition 1. Observational equivalence («) is the largest symmetric relation between closed processes 
with the same domain such that PKQ implies: 

1. if P Xm then g J,M 

2. if P ^* P' then Q ^* Q' and P' H Q' for some Q' 

3. C[P] n C[Q\ for aU closing evaluation context C[_] 

Intuitively, observational equivalence captures the idea that two processes are indistinguishable if their 
observable behaviour is the same. The observable behaviour of a process is what an attacker (evaluation 
context) can observe and deduce using the equivalence relations on terms when the process interacts with 
the environment i.e. outputs on free channels. 

The ProVerif process language can represent pairs of processes having the same structure and difl'ering 
only by some terms and term evaluations, such a pair of processes is called biprocess. Biprocesses are 
represented by extending the language grammar with the choice[M, M'] term and the choice[Z),Z)'] term 
evaluation. A biprocess P defines two processes: fst(P) which is obtained by replacing all occurrences of 
choice[M, M'] with M and choice[Z), D'] with DinP, and, snd{P) obtained by replacing choice[M, M'] 
with M' and choice[Z),Z)'] with D' in P. 

The ProVerif tool can prove the observational equivalence of biprocesses, which is defined as foUows: 

Definition 2. Let P be a closed biprocess. We say that P satisfies observational equivalence when fst{P) « 
snd{P). 
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let SN = 

new rand; 

let mac = fl(k, (rand, sqn)) in 

let ak = £5Ck, rand) in 

let autn = ((sqn, ak) , mac) in 

out(c, (rand, autn)); 

in(c, xres) . 

let MS = 

in(c, x); 

let (xrand, xautn) = x in 
let (y, xmac) = xautn in 
let ak = f5(k, xrand) in 
let y = (xsqn, xak) in 
let mac = £l(k, (xrand, xsqn)) in 
if xmac = mac then 

if xsqn = sqn then 

let res = f2(k, xrand) in 
out(c, res) 

else 

out(c. Fail) 

else 

out(c, Fail). 



Figure 6: SN and MS process, sending the same error message for both MAC verification and synchroniza- 
tion failures and without the use of the xor function 

5 Fixing the UMTS AKA Protocol 

In this section, we present the verification of the unhnkabihty and anonymity properties of the UMTS 
AKA protocol when sending the same error message for both MAC verification and synchronization fail- 
ures. We use the formalization of privacy related properties as given by Arapinis et al. in |fT2l. namely 
strong unlinkability and strong anonymity. The definitions we present here are tailored to our case study, 
we refer the reader to 1 12| for the general ones. 

Though the theory allows to write a set of reduction rules to model the xor function, the ProVerif tool 
cannot deal with its algebraic properties. Hence, in the models used for the verification of unlinkability and 
anonymity the xor is replaced in the SN and MS models presented in example |2j in the following way: 

• The xor in the calculation of autn by the SN process at line 5 is substituted by a pair: 
let autn = ((sqn, ak) , mac) in 

• The xor at line 6 of the MS process is replaced by a pattern matching on the received pair: 
let (xsqn, xak) = y in 

The fixed version of the SN and MS process, sending the same error message for both MAC verification 
and synchronization failures and without the use of the xor function, is shown in figure |6] 

5.1 Strong Unlinkability 

Informally, the strong unlinkability property holds when a system in which agents access a service 
multiple times looks the same as a system in which agents access the service at most once. We use this 
definition since it captures well the concept of user untraceability stated in the 3GPP standard. Let SN and 
MS be a serving network process and a mobile station process as defined in example [2] and consider the 
system S ununk defined as follows: 

S UNLINK =!new A:; new /mi/; new sqn; (SN \ MS) 
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where k is the long term shared key. Each instance of MS in S unlink represents a different mobile station, 
with key k and identity imsi which can execute the protocol at most once. The system S unlink is an ideal 
system with respect to the unlinkability of a mobile station, which by definition cannot be linked because it 
executes only once. 

Let 5 be a system where mobile stations can execute more than once, as defined in example |2] Following 
the definition given in lfT2ll . the unlikabihty property is satisfied if the system S is observationally equivalent 
to a system S unlink- 

S ~ S UNLINK 



5.1.1 Pro Verif Verification 

To make the defined observational equivalence suitable for the verification with ProVerif, we defined 
the two systems S and S unlink as the following biprocess S : 

S = ! new s^l; new /mi/l; 

! new sk2; new imsil; new sqn; 

let {k,imsi) - di\oi.ce.{{sk\,imsi\),{sk2,imsi2)'\ in 
{SN\ MS) 

where sk\ , sk2 are long term keys and imsil , imsil are long term identities. We have that fst(P) represents a 
system where a mobile station (with key ski) may execute the protocol many times, while snd{P) represents 
a system where mobile stations execute the protocol at most once (the key ski is always different). This 
makes the definition of strong unlikability suitable for the automatic verification using ProVerif, because 
it reduces the problem of testing strong unlinkability to the observational equivalence of a biprocess (fst(P) 
and snd{P) differ only in the choice of the identity and related key, i.e. choiceli ski, imsil), (ski, imsil)}). 

The verification of the simple fix of the UMTS AKA protocol with the ProVerif tool shows that the 
unlinkability property holds. The verification of the original protocol results, as expected, in the breach 
of the unlinkability property. The ProVerif code used to verify the unlinkability property of the original 



protocol and of the fixed version is shown respectively in figure 10 and figure 1 1 



5.2 Strong Anonymity 

Informally, strong anonymity requires a system where the user imsi^ with publicly known identity 
executes the role Rj to be undistinguishable from a system where the user imsi^ is not present at all, which is 
the ideal system from imsi^'s anonymity preservation point of view. This notion captures well the definition 
of user identity confidentiality stated in the 3GPP standard. 

Let SN and MS be a serving network and a mobile station process as defined in example|2]and let MS w 
be mobile station processes such that. MSw has known, public identity imsiw MSw is defined as follows: 

MSw = !M5{™«"/™.,) 

where imsi„ is the publicly known identity of MSw- The strong anonymity holds when the following 
observational equivalence is satisfied: 

\MS I \SN^\MS \ MSw\ \SN 



5.2.1 ProVerif Verification 

The mobile stations' permanent identities are modelled as secret names, to verify the strong anonymity 
property we give the adversary the knowledge of one identity, modelled as a free (public) name. We define a 
system 5 IV where the mobile station with publicly known identity imsijwl executes the protocol as follows: 

free it7isi_wl. 

Sw — riew sk^wl; 

!new sk-ms; new imsijns; new sqrijns; new sqriJtv; 

let {imsi, k) — {imsijns, skjns) in 

let sqn - sqnjns in {SN \ MS) 

I 

let {imsi,k) — {imsi^wl, skjvl) in 
let sqn = sqri-W in {SN \ MS) 
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where sk2 and skjiis are permanent shared keys, imsijtvl, imsijns are permanent mobile stations identities. 
The given model represent a system where a mobile station with public identity imsijwl can run the protocol 
in parallel with unboundedly many mobile stations having secret identities. The anonymity properties as 
tested by ProVerif is described by the following biprocess: 

free imsi_w2. 

S - new 5fe_vvl; new /m.s/_wl; new .sA:_w2; 

!new skjns; new imsijns; new sqnjns; new sqn_w; 
let (imsi,k) — (imsijns, skj7is) in 
let sqn - sqnjns in (SN \ MS) 

I 

let (imsi, k) — 

choice[(/OTi/_wl, sk.wl), {imsijw2, skjwl)] in 
let sqn - sqn_w in {SN \ MS) 

where fstiS ) is a system where only mobile stations with secret identities execute the protocol and snd{S ) - 
5 ly is a system where the mobile station with publicly known identity imsi-wl may run the protocol. 



The relevant parts of the ProVerif code used to verify the anonymity property are shown in figure 12 
ProVerif proved that the anonymity property is achieved by both the fixed version and the original 
version of the UMTS AKA protocol. 



6 Discussion 

The xor function is used in the UMTS AKA protocol to combine the sequence number S QN with the 
AK parameter. Instead of modelling a simplified version of the xor function, we chose to send the SQN 
and AK parameter in clear, i.e. as components of a tuple. We believe this abstraction is sound, in this case, 
because it gives more discretional power to the attacker. However, a formal proof of the soundness of this 
abstraction is not given in this paper. 

Besides the xor abstraction, the verification of the fixed version of the AKA protocol shows that our 
simple fix thwarts the information leakage problem which causes the linkability of UMTS subscribers. 

The proposed simple solution does not diversify the type of errors, hence it would invalidate error 
recovery features of the protocol. Instead, we suggest the adoption of a public key infrastructure where 
each home network has a public key known by the mobile stations (it could be stored in the USIM). When 
an error occurs, during the authentication procedure, the mobile station can encrypt the error message 
using the HN public key and then send the error message on the radio channel (see figure [7]). Notice that 
the introduction of random padding values will be required to obtain a non-deterministic encryption of 
the error messages and avoid known cypher text attacks being performed by the attacker. Furthermore, 
meaningful error messages allowing re-synchronization and sender authentication should be used in a real 
implementation. 



7 Future Work 

The work presented in this document is still in progress. We discuss in this session the issues currently 
under examination. In modelling the AKA protocol, we made some abstractions to ease the modelling 
process and to overcome ProVerif's limitations. In particular, we send the sequence numbers in clear, 
instead of XOR-ing them with the AK parameter Moreover, in our model the HN and MS view of sequence 
numbers is perfectly synchronized. 

Intuitively, the XOR abstraction is sound, since we give the attacker more information, with respect 
to the original protocol, hence we leave more room for attacks. With this abstraction, the unlinkability 
of the AKA can be proved when our simple fix is applied to it. The perfect synchronization of sequence 
numbers, intuitively, does not affect the unlinkability property, in fact in both the original AKA protocol and 
the fixed one, they are sent in clear. Moreover, the linkability attack relies on the possibility of replaying 
old authentication requests, i.e. old sequence numbers, hence the currently valid sequence numbers are 
irrelevant from the attacker's point of view. We are currently working on the soundness of our abstractions. 
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MS SN/HN 



S QNms , PKhn K, S QNun, S K^n 




AUTH_REQ(RAA'D, A UTN) 








if MAC + XMAC then 

RES ^ {MAC.FAILURE]pkhn 

else 

if sew™ <=SQN„s then 

RES <- [SYNCH _FAILURE}pK„fj 

eheRES ^ flxiRAND) 






AUTH_RES(i?£5) 





Figure 7: AKA protocol with public key encryption of error messages 

ProVerif cannot prove the unlinkability of the public key based fix of the AKA protocol a manual proof 
will be given instead. 

While modelling the AKA protocol and studying its privacy properties, we started questioning the fea- 
sibility of the linkability attack in real settings. Hence we investigated the available open source projects 
related to mobile telephony technologies and we are currently working on the actual implementation of the 
proposed linkability attack. 

8 Conclusions 

We showed that despite the use of temporary identities UMTS subscribers can be traced thanks to the 
information leaked by the authentication and key agreement protocol. We proposed a public-key-based 
countermeasure to ensure both unlinkability and anonymity of UMTS subscribers while keeping the UMTS 
security architecture mostly unchanged. Furthermore, we successfully use the definition given in |12| to 
automatically verify privacy related properties. Though our approach is not applicable to more general 
settings, it can be used to automatically verify unlinkability and anonymity of protocols which do not use 
the user identity during the initialization phase. 
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public communication channel "') 
free c. 



(* constant values 

fun macFail/0. fun synchFail/0. fun Fail/0. 

UMTS AKA protocol specific mac and key generation functions 
fun fl/2. fun f2/2. fun f3/2. fun f4/2 . fun f5/2. 

(•■ generic symmetric encryption function *) 
fun senc/2 . 

reduc sdec(k, senc(k, m)) = m. 



Figure 8: The pubhc channel, the cryptographic primitives and the constant values 
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9 Appendix 

In this section, we present the code used for the verification with ProVerif an clarify some technical 
details. In the rest of this section we will use the notation: 

section heading 



to avoid code repetition and ease the reading. 

In the following figure, we introduce the functions and reductions we used to model the cryptographic 
primitives involved in the UMTS authentication and key agreement protocol. The function senc model 
symmetric encryption, while f 1 , f 2 , f 3 , f4 and f 5 are protocol specific one way cryptographic func- 
tions. Moreover, in this part of the code we declare a public channel c and three constant values macFail, 
synchFail and Fail. The public channel and function declaration is reported in figure [8] The serving 
network process did not present any technical challenge in the modelling process and is the same for all the 
verified properties, hence is briefly reported in figure |9j without further remarks. 

The code in figure 10 was used to verify the unlinkability of the UMTS AKA protocol. Though, the 
evaluation of an if statement condition is part of the internal behaviour of a process, Pr over if considers 
processes, which execute different branches of an if statement, not observationally equivalent. Hence it 
might exhibit false attacks. In fact, the ProVerif tool is proved to be sound but not complete. This means 
that if ProVerif does not find an attack, this is a proof that there are no attacks, and the security property 
holds in the verified model. Though, the contrary it is not true, i.e. if ProVerif does find an attack, it is 
not a proof that the property does not hold, because the attack may or may not match a real attack, and the 
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(* Serving Network process *) 
let SN = new rand; 

let mac = fl(xk, (rand, xsqn)) in 
let ak = £5(xk, rand) in 
let autn = (xsqn, ak, mac) in 
outCc, (rand, autn)); 
in(c, xres) . 



Figure 9: Serving Network Process 



property could still be proved to be satisfied using, for example, manual techniques. To avoid this problem, 
when verifying the unlikability property, we introduced a function err and a destructor geterr, which 
allow to check the validity of MAC and sequence number, and at the same time retrieve the error message. 
The use of the err function avoids the introduction of extra if statements that would lead to false attacks. 
As explained in section [5] the UMTS AKA protocol does not satisfy the linkability property and in fact 
ProVerif cannot prove the observational equivalence and finds that an attacker can distinguish the two 
processes because different error messages can be sent as answer for the same authentication request. 

The code in figure 1 1 shows the AKA protocol fixed so that the same error message is sent, indepen- 
dently from the kind of failure occurred. This is obtained by simply changing the definition of the err 
function. This solution is proved to satisfy unlinkability. In figure [l2j we show the code we used to verify 
the AKA anonymity property. In this case, the if statements were not source of false attack, hence we did 
not use the err function. As expected the anonymity property holds because the private identities of the 
mobile stations are never revealed (i.e. sent on the public channel). 
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C* public channel and cryptographic primitives *) 



fun err/4, 
reduc 

geterrC errCx, z, y, y)) = macFail; 
geterrC errCx, x, y, z)) = synchFail. 

C* Serving Network process *) 



C* Mobile Station process *) 
let MS = in(c, x) ; 

let (xrand, xautn) = x in 
let (xsqn, xak, xmac) = xautn in 
let mac = flCk, (xrand, xsqn)) in 
if (xmac, xsqn) = (mac, sqn) then 
let res = f2Ck, xrand) in 
outCc, res) 

else 

let ermsg = geterr(err(mac, xmac, sqn, xsqn)) in 
outCc, ermsg) 

). 

process !new ski; new imsil; 

!new sk2; new imsi2; new sqn; 

let (k, imsi) = choice [(ski, imsil), (sk2, imsi2)] in 
(SN I MS) 

Figure 10: AKA protocol Unlinkability 



(* public channel and cryptographic primitives *) 



fun err/4, 
reduc 

geterr( err(x, z, y, y)) = Fail; 



(" Serving Network process *) 



(* Mobile Station process *) 



process !new ski; new imsil; 

!new sk2; new imsi2; new sqn; 

let (k, imsi) = choice [(ski, imsil), (sk2, imsi2)] in 
(SN I MS) 



Figure 1 1 : AKA protocol Unlinkability: simple fix 
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C* public channel and cryptographic primitives *) 



C* Serving Network process *) 



(* public identity *) 
free imsi_w2 . 

C* Mobile Station processes *) 
let MS = 

inCc x); 

let (xrand, xautn) = x in 
let (xsqn, xak, xmac) = xautn in 
let mac = fl(k, (xrand, xsqn)) in 
if (xmac, xsqn) = (mac, sqn) then 
if xsqn = sqn then 

let res = f2(k, xrand) in 
out(c, res) 
else out(c, synchFail) 
else out(c, macFail) . 

process new sk_wl;new sk_w2;new imsi_wl; 
!new skjis;new imsi_ms; 
!new sqn_w;new sqn_ms; 
let (imsi,k) = (imsi_ms, sk_ms) in 
let sqn = sqn_ms in (SN |MS) 

I 

let (imsi,k) = 

choice [ (imsi_wl , sk_wl) , (imsi_w2 , sk_w2)] in 
let sqn = sqn_w in (SN|MS) 

Figure 12: AKA protocol Anonymity 
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